Bill Davidson wrote:
Bill Barker wrote:
>This is correct. TC 3.2.4 never set the "secure" flag on that cookie,
>and TC 3.3.2 would only set it if you enabled an option in server.xml.
>This feature of TC is only on TC 4.0 and higher.
Thank you for confirming that.
I personally believe that this was a long but very interesting thread,
containing a lot of information from the best authorities and otherwise
difficult to gather and bring together intelligibly, about Tomcat's
handling of authentication and HTTP/HTTPS sessions, session-id cookies
under HTTP/HTTPS (and their changes over Tomcat versions), transmission
over mod_jk of the HTTPS nature of the session, browser handling of
secure/non-secure cookies, etc..
Might this not usefully be brought together in a FAQ or article, which
itself would be easy to find in the future ?
With everyone's permission, I would offer to write a draft, but I
wouldn't have a clue as to how or where to publish this.
Mind you, considering the scope, I can't even think of an appropriate
title. Java Servlet Specification for Dummies ?
André
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
